Anyone here have experience with Fortigate products? How do they compare to Checkpoint in terms of performance and reliability?We have Checkpoints currently and have been running into performance and reliability issues (particularly when the Infosec team goes crazy with their vulnerability scans, but also from DoS attacks from the web). The Fortigate salespeople claim they are the only ones in the space offloading traffic to ASICs. Is this true and does it make a difference in real life?
Hey this is forum for FTNT so nobody going to tell you any thing bad . Okay here's my thoughts since I work with both platforms and almost daily or weekly
My opinion for OP and anybody looking at the two platforms ;
"none are better than the other it like saying is a toyota better than a honda "
support is going slowly downhill, and that is from me working with their support and products for 20+ years
the security manager/mds is excellent in tracing or searching objects, & it really the 1st security manager from historical , so it has improved over the course of decades. It's simple to use and laid out fairly good. They did a good job in that area.
hardware is reliable even though in my day-job we have 50/50 real appliance and virtual we have not seeing any hardware failure nor have I heard of any thing failing
CHKP ha-cluster and failover is just a mess, Just as bad as junos or actually worst. I have nothing positive to say in those areas. Just expect some reboots if you actually failover anything
vpn diagnose is simple and pcap generate is excellent for assistance in troubleshooting
as you should know licensing in anything with regards to CHKP is a price-tag $$$$ and like clustering is a mess to manage or understand if you do not do it regularly
A lot change to the security-manager system are scripts and file modification that can be intimidating ( forcepoint SMC is done in the same fashion & by many local-host files that you have to edit )
logging and analysis can be a breeze , but you need add-on to fully achieve anything in that area
centralize nat table and object or a mix of the two can cause issues if you do not know what's going on
Also checkpoint solution documents are write probably slightly better than fortinet but just my opinion others might disagree[/ul]
support is fair, RMA process sucks in general. Also hand off to another engineer and the process is poor to say the least
application control works and works very good
software upgrade are simple as 1 2 3
SDWAN is a big feature that a lot of sml to medium org are moving to, it's a strong point
webGUI is good and the fortimanager if you have a wide deployments is a great management solution
IDS/IDP rules management is much simple than CHKP
IDS/IDP updates are also much simpler and reliable to execute
clustering|failover is breeze to manage ( see my above bold complaint )
DoS flood mitigation is simple , but like anything if your over--ran you will have problem. Does not matter if it a FTNT CHKP PANW JNPR , flood control is a royal PITA.
NAT and VIP management is much simple also in FTNT
if you have a hardware failure it's almost effortlessly to restore if you have last-saved cfg, can not say the same to CHKP-sg. You have a lot of minor steps you have todo to restore a CHKP[/ul]
Summary. Both are great platform. If your looking at NSS lab you will see both are great in all areas. CHKP is still the leader or the big dog to beat, but it comes at a price tag. I love both platform but for many many different reasons.
I would ask for a demo and run a device in a lab or test-env before committing down that path. But you can't go wrong with a fortigate. Also CHKP is loosing market shares at a steady beat & for decades now. I stay in touch with my old fortigate partner, and for every bid|proposal losted out to chkp, these can be count on one hand.
I favor fortinet most of the time over checkpoint. Palo would be also a better platform to look but again comes with a price tag. They have improvement in a lot of areas that CHKP just does a C grade in.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.